http://bugzilla.opensuse.org/show_bug.cgi?id=1165615 Bug ID: 1165615 Summary: VUL-0: envoy-proxy: multiple security issues Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: mrostecki@suse.com Reporter: abergmann@suse.com QA Contact: security-team@suse.de Found By: --- Blocker: --- This only affects openSUSE:Factory. https://blog.getambassador.io/high-severity-vulnerabilities-in-envoy-proxy-3... The full list of vulnerabilities addressed in this release are: * CVE-2020–8659 (CVSS score 7.5, High): Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks. * CVE-2020–8661 (CVSS score 7.5, High): Envoy version 1.13.0 or earlier may consume excessive amounts of memory when responding internally to pipelined requests. * CVE-2020–8664 (CVSS score 5.3, Medium): Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump. * CVE-2020–8660 (CVSS score 5.3, Medium): TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process. These security fixes are also included in Envoy 1.13.1 and 1.12.3, which are also being released today. -- You are receiving this mail because: You are on the CC list for the bug.